Detailed explanation of bitcoin
That transaction is where their coins are sent if they solve that block. Because miners competing against each other want their coins to be sent to different addresses, and those addresses are hashed together with their nonce, it does not matter if everyone starts their nonce from zero.
The added randomness from differing generation transaction addresses prevents each miner from working in the same space as others. I had wondered about the same question as the author.
Your explanation clears it up for me. Moreover the nonces need not be enumerable. If randomly picked from a large enough pool it is unlikely that the same nonce gets picked twice. Only one thing to add on another post: Bitcoin has 3 methods for finding peers: Did I miss it? Does it have anything to do with quantum computing? Oops — actually, I had an extended discussion of this question, but deleted it just before I posted.
The reason I deleted it is that the discussion was inconclusive. The separation seems to be a fairly arbitrary design decision — there are some minor space and security advantages, but not enough in my opinion to justify making the Bitcoin address the hash rather than the public key. That reduces the window during which the private key could be derived and used in a double-spend to about 10 minutes.
This has significant ramifications for the safe transition to quantum-proof cryptography, if nothing else. To me, both seem like relatively small points. On the first point, many people reuse addresses, so in practice public keys are often widely known. So it does seem a bit arbitrary.
This might make a nice example for my post on Bitcoin scripting. I have read that there is no known algorithm that would allow public keys to be derived from public addresses within a practicable timescale, even with quantum computing. However, the same is not true for deriving private keys from public keys. Thus addresses that have not been used to spend, have benefits in terms of being more QC proof. I recall Vitalik Buterin writing on this topic. It looks like the protocol version is inside the JSON.
What would be the incentive for non-miners to answer your question? Why would you trust the answers or lack thereof? After all, if I understand correctly, when there is no transaction fee set aside, the miners could very well choose to omit transactions from their blocks? On trusting the answers: The requirement of a signature makes this hard to forge by a malicious naysayer. On your last point, yes, this is a very interesting question.
At present this all seems to be working okay, but over the long run I suspect will limit the use of Bitcoin for small transactions. On the last point: I could see the transaction fee being indirectly related to the time required to confirm a transfer. If you want your transfer confirmed quicker, then you have to pay. Also could someone with very large resources overwhelm the network with bad data?
Eg, if china wanted to use some super computers or a bot net to stop bitcoin from operating by adding all sorts of bad data to the block chains? Denial of service type attacks are a real problem. On the first question, the answer is, I think: Android had a bug in their random number api that was successfully exploited. Or maybe someone dies but the next of kin doesnt know the details?
Lost bitcoins are just that — gone from the money supply for good, unless someone manages to either a recover the keypair; or b breaks the underlying crypto. That brings up an interesting scenario, on a long time scale there will have to be some allowance made for replacement of the lost coins, or sub-division of the satoshi.
With Bitcoin; losing the private key for good is more like accidentally dropping your coins out of an airplane over the pacific ocean. Looks like we both independently arrived at similar methods of explanation: Thank you so much!!!! I had wanted an understandable primer on Bitcoin since ages and this was a fabulous read!
It looks likely to cause floating point approximation errors. Just wanted to say thanks for a really great essay — the explanation was really clear, and totally fascinating. Can quantum computers mine bitcoin faster? Does this boil down to how quickly a quantum computer can find a string that has a specified property for SHA? For which we have a quadratic speedup, but probably no more? Thanks for this, while I understood the majority of it, the coding element was very useful — especially highlighting where the script goes in conjunction with the transaction.
While a lot of people know abot bitcoin, there is such a shortage of good quality technical info. Why is bitcoin built to be inherently deflationary?
This seems to be the go-to argument against why it will ever gain widespread adoption as a currency. Why does the reward for mining bitcoin halve every , blocks?
Could there be a point in the future where this is reversed? I certainly suspect as do you that these may ultimately turn out to be design flaws. Bitcoin is NOT deflationary. It is inflationary with a known and decreasing rate up until around at which point it will stop being inflationary.
The only deflation in Bitcoin may happen through coin loss. The same, by the way, is true for Fiat. The difference is that Fiat can be arbitrarily inflated and with Bitcoin it is not arbitrary. Why is it inflationary at all as in, why not start with a predetermined amount of bitcoins that never change.
Bitcoin designers wanted a way to spread bitcoins around without starting with a central authority that has them all and gives them out like, say, ripple. The bitcoin generating part of mining does exactly that. Bitcoin is only not deflationary if you assume that real wealth production will gradually slow, and eventually stabilize around at the same pace as the drop in Bitcoin production.
The more that needs to be paid out in each transaction to cover the fees, the lower prices and actual payments will have to fall to make room for that overhead. Lower revenue translates to lower ability to afford a given price level, and so on. What actually needs to be demonstrated is that there is any value in allowing any static, nonproductive account to maintain its nominal value, as opposed to using the inherent decline in the value of such accounts provide the baseline motivation to use more productive investments to store anything beyond cash sufficient to meet immediate needs for liquidity.
Trying to store value in money rather than in future production potential is the ultimate perverse incentive, rewarding fraud and financial manipulation far out of proportion to development of real assets. There are excellent reasons for wanting to store value. One obvious one is the desire to save for retirement. JPE V66 6 Dec. Actually bitcoin is inherently deflationary if you believe that the size of the bitcoin economy will grow faster than the money supply.
Although not quite intuitive, it does make sense upon reflection that the money supply reflects the value of the economy it represents. If the money supply is growing faster than the underlying economy then you get inflation. If the money supply is growing slower than the economy you get deflation. I think all but a few of us expect the bitcoin economy to grow faster than the supply of bitcoins — hence we have a deflationary currency.
The wisdom of that choice is another mater, of course. One could imagine many different scenarios for the amount and timing and conditions of new currency entering the system. Does everyone have their own version of it or do they sync to a master?
Does every block chain get updated when validation is completed? But the way the protocol is designed at present there is a sizeable number of people keeping a full copy of the block chain. This is currently quite a manageable size about 12 gig. If Bitcoin grows rapidly enough this may eventually become a problem.
The conclusion there, which seems to me believable, is that there are many options for scaling Bitcoin at least up to the level at which credit cards are used today, and perhaps further. Just about the total amount of bitcoins, if I understand well, new bitcoins are generated each time a transaction is processed? It means the more exchange we have, the more bitcoins in the market there is?
How were created the first bitcoins? Is there another way of creating bitcoins that checking transactions? Not per transaction but per block of transactions. Exchanges are a bad example. The transactions within the exchange happen outside the network.
There are so many trades going on within an exchange, it happens internally. And since trades need to happen fast, the network is not suited for that. Thanks for the great Bitcoin writeup.
What I think is more interesting than the cryptography aspect is the social-motivational aspect of Bitcoin and why it seems to be succeeding. Scaling this system to support a billion users transacting multiple times per day seems…. Anyway, all very interesting to watch. As usual, I got in late and out early with Bitcoin bought around 5, sold around , seemed like an awesome profit margin at the time… that aspect of Bitcoin is a lot like any other speculative investment, and is certainly fueling interest at this stage.
On scalability, check out https: Like you, though, I wonder about the long-run economics and impact of mining. Thanks for writing this great explanation of Bitcoin.
I noticed in the first Bitcoin transaction example, you mention 0. Thanks for the excellent writeup. I have a question about one item, hopefully you can explain it. It appears the money you send someone is merely chunks of one or more previous transactions.
Those previous transactions are the inputs for my transaction to you. How does the transaction message for the 2 bitcoin transaction prove that I was the recipient of those previous transactions when the addresses are all different? The proof is in the digital signature. That signature is generated using a public key which must match when hashed the address from the output to the earlier transaction. But if I understand correctly the need for every transaction to be publicly verified means that you are tied to all your transactions.
Anyone with a copy of the block chain can notice that the flow of money goes from various drug users, to Stringer, to Russell. If you really want to enable money laundering, first create a bank. Such a bank would have more uses than just money laundering. You will use a trusted middleman that does several transactions each day, some with good-guys and some with bad-guys. The middle-man then transfers out the necessary amounts to intermediate addresses yyy0 … yyyM that he has set up specifically for this transaction period.
Because all the incoming money has gone into the xxx address there is no way to separate out subsequently which money went to which reciever. If ALL the yyyy addresses belong to bad guys then you would be guilty by association. Many bitcoin services perform such mixing by default, based on what I have read. The legal ramifications for the mixing service provider are unclear to me.
But such a bank would have to keep its own records — both as a practical necessity and as a legal requirement — and those could be obtained by the authorities. Whereas cash can be laundered tracelessly, through a cash business like a casino or restaurant, which can perfectly innocently be expected to have lots of cash coming in and no way of knowing where it comes from.
Interestingly this is exactly what was done with silk road. It basically was a bitcoin bank moving bitcoins around in such a way the buyer and seller could not be connected.
Nonce starting at zero is not a vulnerability. The nonce is simply 32 bits out of the whole bit coinbase that you are hashing and there is no way to design a target solution to be distributed anywhere within the nonce range of those 32 bits. Of course this creates an obvious incentive for all participants to try to guess nonces in a different order than everyone else.
So it seems reasonable that most client software would use a random sequence of nonce guesses rather than guessing sequentially from 0. But still, if one were to find a vulnerability in the random number generator of a popular client, then it might be possible to design a competing client which would, in practice, almost always find the correct nonce before the targeted client, by virtue of guessing the same sequence a few steps ahead.
That would allow the attacker to successfully validate a share of blocks greater than their actual portion of the collective computational power, at the cost of everyone using the vulnerable client and finding the nonce less often than they should on average.
Alex has explained my concern well. As people make transactions, the public ledger grows. Will it not grow to an unmanageable size at some time? If the block chain forks, do the miners on both sides of the fork keep their rewards?
I am puzzled by transactions in blocks. Is it not possible for two miners to be working on different blocks which contain mostly, although not all, the same transactions? Does the second miner restart by taking his unverified transactions and putting them in a new block? However, over time only one of the forks will become the accepted consensus for confirmed transactions. And so only the miners from one fork will be able to redeem their transactions.
What will happen when an owner loses his wallet restores a backup from a few weeks back. He may have spent some coins, and he may have received some. Those transactions are no longer in his block chain. How would the block chain get back in sync? On your question-to-yourself about using two phase commit, I think the major issue would be vulnerability to denial-of-service attack.
A malicious user could set up a swarm of identities to act as nay-sayers and therewith deny some or all others from performing transactions. In my experience using the bitcoin client, you are not allowed to do anything on the bitcoin network until your block chain is in sync with the latest transactions.
It somehow recognizes how far behind your block chain is and starts downloading blocks and tells you how old your block chain is and how much left you have to update as it downloads more. BTW, I un-installed the bitcoin client because over the 1 year span that I had it installed, the block chain went from about 2 GB to about 25 GB, and the novelty of having my own copy of the block chain wore off in comparison to its cost. On the naysayer DDoS attack on two-phase commit: Here is a very entertaining rational explanation http: If we were to decide that the rewards should be different remaining at 25 indefinitely, for example , what exactly would have to change?
Is it the bitcoin mining clients that are hardwired to only validate transactions that award 25 coins to other miners when they validate their blocks, and the date of the validated block indicates that the award should be 25 BTC? Every , blocks the rate halves. No need to keep track of the date, simply count blocks. As the chain is just validated list of transactions, how there can be any cap on transactions?
What does hardcoded mean practically? You only own that much of bitcoins as others agree you own. So, hardcoded here means it is the original protocol suggested and supposed to be honored by all the users. Would it be, in principle, possible for all miners to agree on not lowering the reward at all? For example to continue to reward 25 per block for all eternity. I was thinking about how the blockchain is managed as more transactions are processed, thanks for the link https: In a way, Bitcoin is replicating a history of money evolution in an accelerated manner.
I wonder what will take place in the protocol to allow the peer-to-peer nature to continue while scaling the project to allow the transaction capacity necessary for a true currency.
Yeah, that is very interesting. And you do already see a lot of signs of centralization with the big mining pools:. This makes the concept difficult to grasp. Thanks for such a generous and informative post. There is so much babble on Bitcoin that it often seems to operate socially as more of a rorschach test on currency than an actual means of exchange. The devil, and the delight, are in the details. Bitcoin has fascinated me recently. I admit to not being able to fully wrap my head around it, but I took what I could and wrote a little here: How does the block chain know that the address sending the coins is correct?
The sender sends their sig to go with it, I assume paired up with the hash of the address allows the various nodes to validate right? They would need to in order to validate. So can a sig only be used once, and if so how is it generated and what prevents it from being faked? Public key cryptography is a remarkable and beautiful thing. Each client using Bitcoin has keypairs — one key in each pair is public, the other private.
The nature of asymmetric cryptographic digital signatures is that I can sign any piece of data using my private key, and anyone else with only my public key can verify that the person who signed that data holds the private key. In order to benefit they would have to be converted or be re-introduced later on. The situation is complicated further by the possibility of laundering. If you quickly spend some stolen bitcoins on, then it becomes very different to later recover those bitcoins, since now they may be in possession of honest parties.
Indeed, this is a critical question. The apparent lack of unambiguous protocol documentation makes me think that alternative implementations are difficult to achieve. I have one question or doubt: What is done with all these hashes?
Did you do this video or is this video inspired by this post!! Many people have asked about scalability, so let me just leave this here: I have a question: Could miners run a modified version of the software to choose not to publish a transaction in the blockchain? I mean, like a small group of powerful miners controlling the entire network?
If you control half or more of the total mining power in the network, you can keep a transaction out of the blockchain by solving blocks faster on average than the miners who are trying to include that transaction. If you control less than half, you can delay the transaction, but sooner or later the rest of the miners will get ahead of you and your version of the blockchain will lose out. There was a time in this country when you can go to the bank and trade in your 20 dollar bill for an oz of gold.
But a medium of exchange is just that, something used to facilitate trade, an accounting device. It should have scarcity value and be resistant to counterfeiting. Fiat currencies have scarcity value to the extent that they are usually printed in finite amounts. Gold is generally scarce. And bitcoin is scarce as well. Gold has been used as a medium of exchange for centuries. If people are willing to pay for something that is rare or unique, it has a value. The demand for it defines the price.
Excellent write-up, and I look forward to further installments — which leads me to ask: I just checked both RSS feeds, and they seem to be fine. I typically post longer essays, often in the 3,, word range, which is why I only update my blogs a few times a year. You may enjoy looking through some of my past articles.
This blog carries my more technical stuff, while my other blog http: I clicked through to the Feedburner page, and indeed the new stuff is there. Perhaps the problem is on the go read side? Am I to understand that it takes about 60 minutes to pay somebody through the Bitcoin network? I reached this conclusion based on the 10 minute average block confirmation and the requirement of it being 6 back in the chain before it is considered confirmed.
Full confirmation requires about 60 minutes. A confirmation takes 10 minutes. If you want full confirmation, then yes, on average it takes an hour 6 confirmations. For eCommerce, this will probably work in most cases. For retail, this can be an issue. However, there are a few points: Those are easily detected. It is the first article that I have been able to understand on this topic, and I have been reading a few on it.
And a comment to style, I really appreciated the higher-principled discussion on the topic. I have yet to read before now any intelligent comments to the social value, in particular your link to http: Great article and great discussion!
This is a very good overview of the technical aspects around the bitcoin protocol. The fact remains that bitcoins have no intrinsic value and the promise of a peer-to-peer payment network medium of exchange will not be fulfilled unless the bitcoin is transformed into a true digital currency. Here are my thoughts on how to accomplish that: Hi, first of all great explanation on Bitcoin, I love it!
I guess my question is simple to answer. How can I verify that a transaction is signed by a certain address if all I got is the hash of the public key? What am I missing guys?? The transaction contains the Bitcoin address of the payee or payees, if there are multiple outputs in the output fields, and the public key s and signature s of the payer s in the input fields.
Silly question from a non technical person: Where can I find the code and look at it? I would love to see you discuss tumblers and the effectiveness and possibility of anonymizing your bitcoins. In your anonymous section you speak of debunking a fairly huge myth without really backing it up.
For instance if TOR is compromised versus if it is not, or if other methods of obscuring traffic surrounding use of bitcoins are insufficient. I believe techniques similar to those used in those papers will be very useful for attacking Bitcoin. There are complications in Bitcoin, notably that some people though far from all routinely use new addresses for each transaction.
That makes an interesting challenge, and I think is different than in earlier work on de-anonymization. Linking bitcoin addresses to a real identity requires that a real identity is somehow associated with an address in the first place. In the case of Silk Road, the guy who sends me the drugs would need my mailing address, but that can be fudged as well.
If he does not store my mailing address, nothing gets linked to me if the drugs arrive safely. Now if i do the same thing many times, it may be possible to ID me using other vectors — but explain how anyone could ID me using the blockchain if I buy the bitcoin with cash on the street, and spend it leaving no permanent record. The system is anonymous, but traceable. There are several other methods as well.
To remain anonymous, you have to take pretty extreme measures. This includes the use of tumblers and foggers, but you cannot guarantee they will work. You mention using multiple sub-puzzles to reduce variance. This is a bad idea as it introduces progress. Unfortunately, the details are more complex than I want to write out right now; I may come back to it in a future post.
Also you talk about risk of nonce reuse. This wont happen because people mine for their own reward address, so even if the nonce is reused the work proof wont be. Further in the case of pool mining the pools hand out work, specifically to avoid nonce re-use which is somewhat insecure as others could guess the work range of other users and race them to produce it. And finally the secure way is pooled miners use getblocktemplate and use a large random counter start extranonce.
If extranonce is large enough and random the probability of nonce collision is pratically 0. You can read about this in the hashcash paper http: For decentralization miners should also choose their own blocks by running as a full node and filling in the details into the coinbase provided by getblocktemplate. I presume the form it would take is the proof of double spend would be one of the double spends. There have been proposals to forward double-spends with a double-spent marker currently the first only is received.
Maybe just an api to ask if there are any transactions conflicting with a given transaction a user could ask a few random nodes to gain confidence. You also have to bear in mind preserving the 0-confirmation spend functionality. Many people rely on that for low value point of sale transactions. You might consider removing the footnote. IMO, Bitcoin cannot be successfully defended as free speech.
Free speech is not a full blown unlimited right, as yelling fire in a crowded theater reminds us. But Article I, Section 8, subparagraph? I hope this comment does not derail a great discussion of Bitcoin. Please delete my comment if it becomes a red herring. That question about a nounce… I think that the parametres of the puzzle differs for every single miner. So there is no point in trying to trick others — parametres of their puzzles are different.
Its OK for everyone to just try 0,1,2 etc…. Is that usually because someone else got there first? Do you know about what fraction of proof-of-work computations get rewarded? Whoever finds the hash that is smaller than the currently defined difficulty, they will gain the reward for the block. The difficulty is adapted every two weeks or so to reflect the changing now growing power of the network. It seems that over time you would accumulate a large number of coins of varying fractional values, and to make a payment you would have to lump together a collection of fractional coins to equal or exceed the transaction required, then typically end up with paying yourself your change.
This one-way process of cutting off pieces of a bitcoin would continue steadily. A holding of one bitcoin would end up being constituted of maybe hundred or thousands of differently-sized fractions. In turn, that will lead to the block chain file growing faster and faster. This is not a problem. But other transactions undo fragmentation.
For example, a 5-input, 2-output transaction will reduce fragmentation. This sounds a little complex for the user, but in practice, good client software will make this invisible. For instance, if I have. I guess this sort of boils down to whether the use of high cost computing equipment is a function of competition and price or problem complexity?
Both are hypothetical but I was curious to know if you or anyone had considered these questions. Anoncoin, Phenixcoin, Primecoin, etc. I take it that the protocol is the same among the clients, though hash algorithms, proofs of concept, and the like may differ.
From what I understand, if I use XPMs and want to buy something from a vendor who accepts BTCs, I have to go through some broker or exchange facility to complete the transaction.
Suppose Alice tries to double spend an infocoin with both Bob and Charlie. The idea is that Bob and Charlie would each broadcast their respective messages to the Infocoin network, along with a request: This protocol needs to be hardened against network attacks, but it seems to me to be the core of a good alternate idea. How well does this work? What drawbacks and advantages does it have compared to the full Bitcoin protocol?
Detecting attempted double-spends as soon as possible is great for low-value, in-person transactions, and we should do more to support that use case. In your next instalment, could you give a broad description of where the protocol is actually to be found is it a particular piece of software? These are important questions because they go to the ability of Bitcoin to evolve and develop, but it is very hard to find any good general account of these issues. I am still having one big problem — and I feel like I must be missing something obvious.
Who is going to be looking to reject it, and what does that even mean? If a malicious party Alice manages to complete a block that contains transactions that are not, in fact, valid then what? Do other miners check them before building on top of her faulty block? Anyone with a copy of the block chain is not going to accept an additional block which has an obvious attempt to double spend in it.
So that means that miners examine each block for conflicts before they choose to build on it…? Will their block if they solve it become invalidated if down the line someone points out that they built on a block with a double spend? If so, the money earned by Miner essentially is imaginary and something that only exists within trust that bitcoin is going to continue to work.
I guess there are two cases: Also, why assume every , blocks is occurs every 4 years? If everybody would like to exit Bitcoin at the same time the price would collapse. The current speculation is though, that the opposite is true. Many people try to buy bitcoins for the fiat money. The block chain is a shared public ledger on which the entire Bitcoin network relies.
All confirmed transactions are included in the block chain. This way, Bitcoin wallets can calculate their spendable balance and new transactions can be verified to be spending bitcoins that are actually owned by the spender. The integrity and the chronological order of the block chain are enforced with cryptography. A transaction is a transfer of value between Bitcoin wallets that gets included in the block chain.
Bitcoin wallets keep a secret piece of data called a private key or seed, which is used to sign transactions, providing a mathematical proof that they have come from the owner of the wallet. The signature also prevents the transaction from being altered by anybody once it has been issued. All transactions are broadcast between users and usually begin to be confirmed by the network in the following 10 minutes, through a process called mining.
Mining is a distributed consensus system that is used to confirm waiting transactions by including them in the block chain. It enforces a chronological order in the block chain, protects the neutrality of the network, and allows different computers to agree on the state of the system.
To be confirmed, transactions must be packed in a block that fits very strict cryptographic rules that will be verified by the network. These rules prevent previous blocks from being modified because doing so would invalidate all following blocks. Mining also creates the equivalent of a competitive lottery that prevents any individual from easily adding new blocks consecutively in the block chain.
This way, no individuals can control what is included in the block chain or replace parts of the block chain to roll back their own spends.